Feds Lag On ID Theft Notification

The names and bank account details of up to 40 million credit-card holders have been exposed to fraud. Too bad the only way that information reached the public was largely thanks to California.

That's right, the rest of the nation has been made aware of serious identity breaches because California forces companies to notify consumers when such theft happens. The federal government, in the meantime, hasn't done anything to require the same.

Even though other states are following its California's lead, Congress can't afford to drag its feet on this national issue anymore. The reason is simple: Consumers have the right to know when their private information has been compromised.

"At this point, so many people are affected by identity theft that there is increasing pressure on federal legislators to do something that will go well beyond just holding hearings," said Susanna Montezemolo, a policy analyst at Consumers Union, which promotes consumers' interests through its policy initiatives as well as being publisher of Consumer Reports magazine.

The figures on this issue are stunning. Nearly 10 million people fall victim to identity theft each year, costing consumers $5 billion in out-of-pocket losses and businesses $48 billion, according to the Federal Trade Commission.

More than just money is lost. The Identity Theft Resource Center, a non-profit group based in San Diego, estimates the average victim spends about 600 hours trying to clear up credit problems.

The biggest data breach so far came last week with news that 40 million accounts were exposed to possible fraud. While the compromised data did not include addresses or Social Security numbers, the information that may have been viewed could be used to steal funds.

This mess was traced to Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants. CardSystems, according to MasterCard International Inc. which publicized the breach, inappropriately held on to card data for research purposes rather than deleting it. Forty million accounts were exposed, and records pertaining to at least 200,000 were known to have been stolen, primarily MasterCard and Visa cards.

Earlier this month, Citigroup Inc. said UPS lost computer tapes with sensitive information from 3.9 million customers of CitiFinancial, which provides loans.

ChoicePoint Inc. said in February that thieves using stolen identities created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people. This spring, LexisNexis Inc. disclosed that hackers had commandeered a database and gained access to the personal files of as many as 310,000 people.

Other companies, including Bank of America Corp., DSW Shoe Warehouse and BJ's Wholesale Club Inc., have also faced recent problems with data theft.

If it were not for California's law, which went into effect in 2003, consumers might not have known that any of this was even going on. Under that state's rules, companies must notify residents whenever sensitive personal data has been compromised.

And since many large companies do business in California, when they comply with that law consumers around the country end up learning about a security breach.

Illinois and Washington have recently passed bills dealing with identity theft and a handful of others are considering legislation.

But the big push is for Congress to do the same. A number of bills requiring notification and higher security standards for personal data have been working their way through committees in both the House and the Senate.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly. Consumers' personal and financial data has become the gold of the 21st century and we need to protect it accordingly," said Sen. Charles Schumer, D- N.Y.

Schumer has introduced legislation on identity theft with Sen. Bill Nelson, D-Fla. His comments came last week after the credit-card breach was made public.

But to date no bill has reached the mark-up stage, which means that with Congress about to leave for its summer recess, it will be the fall, and maybe well after that, before any measure advances.

Such legislation may only be passed if Washington lawmakers can stand up to pressures coming from the financial services industry.

While many groups in that sector say they support rule changes, they are pushing to keep some control over what circumstances would trigger a notification requirement. They say there is a risk of flooding consumers with warnings, making them numb to the most serious threats.